Data sharing in local councils 


— six steps to take 


These six steps have been produced following a series of workshops 
and discussions with local councils across the UK and will be of 
interest to parish council clerks looking for steps they can take to 
improve their council’s data protection compliance. 


1) | Be clear about your purposes 


There must be a specific purpose for sharing personal data. Before you share 
information with another organisation you should be clear on what the sharing is 
meant to achieve. You will need to record your purposes and specify them in 
your council’s privacy information to individuals. 


There are a variety of reasons why local councils may need to share personal 
data. For example, it may be necessary for you to share data to deal with a 
residential complaint or perhaps for employment purposes or to administrate 
community memberships. 


2) | Identify your lawful basis 


To comply with UK GDPR you must identify and document an appropriate lawful 
basis for sharing the information. There are six lawful bases and no single basis 
is better or more important than the others - the most appropriate one for your 
council will depend on your purpose. 


Use our lawful basis tool to identify your lawful basis. 
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© | Check the sharing is necessary 


Many of the lawful bases for processing depend on the processing being 
necessary. The sharing has to be more than just useful or standard practice for 
it to be necessary. If you can reasonably achieve the same purpose another way 
or by sharing less information, then the sharing won’t be necessary and your 
lawful basis won't be valid. 


For example, a parish council receives reports of anti-social behaviour on a 
number of its allotments. The police want to offer crime prevention advice to the 
allotment tenants and asks the council for a list of contact details of the tenants 
from its allotment database. The council decided that sharing the contact 
information with the police in this instance was not necessary. The same 
purpose (crime prevention advice) could still be achieved by the council 
distributing the advice to the tenants themselves, on behalf of the police. 


O | Only share the personal data you need to 


Councils should only share the minimum amount of personal data that is needed 
to help your council achieve its purpose. Sharing more information than is 
needed may be considered excessive and in contravention of UK GDPR. 


For example, a local council has received an email from a resident about a 
pothole that has recently damaged their car. The clerk reports the pothole to the 
highways agency but as it is located in a rural area, it is necessary for them to 
provide the address details of the house it is near to so it can be fixed. The clerk 
recognises that it is not necessary to share any other personal data (such as the 
complainant’s information) in this instance. 
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O | Inform individuals about the data sharing 


Individuals have a right to be informed about the use of their personal data. It’s 
also a key transparency requirement under the UK GDPR. When you collect the 
information from individuals, the UK GDPR requires you to inform them of 
certain information. This is known as privacy information. Even if you don’t get 
the personal data directly from the individual concerned, you still must provide 
them with privacy information. 


For example, before sharing any data with a third party, make sure that 
individuals have been informed about it. You must tell individuals (amongst 
other things) who you will share their information with, the reason(s) why, and 
your lawful basis for doing it. You can meet this requirement by putting the 
information in the council’s privacy notice but you must make individuals aware 
of it and give them an easy way to access it - for example providing them a link 
to the privacy notice on the council’s website when you collect their information. 


O [ Demonstrate your accountability 


The accountability principle requires you to take responsibility for what you do 
with personal data and how you comply with the other principles of UK GDPR. If 
you're sharing personal data you'll need to evidence your compliance and justify 
your approach. 


Documenting the purposes and lawful bases for your council’s data sharing is a 
good example to demonstrate your accountability. If you regularly share data 
with the same organisation, then a data sharing agreement would be good 
practice to demonstrate your accountability. 


More information 


For more information please visit www.ico.org.uk/for-organisations. 
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